From 1d026767d129a7476ca221fb974a3fd1193853e8 Mon Sep 17 00:00:00 2001
From: Jj! <jj@unicon.net>
Date: Sun, 7 Oct 2018 21:36:09 -0500
Subject: [PATCH] [SHIBUI-808] fix configuration ordering

---
 .../ui/configuration/auto/WebSecurityConfig.java     |  4 +++-
 .../java/net/unicon/shibui/pac4j/WebSecurity.java    | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
index 0a0c9b9f5..34551abad 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java
@@ -1,8 +1,10 @@
 package edu.internet2.tier.shibboleth.admin.ui.configuration.auto;
 
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.AutoConfigureOrder;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
@@ -21,7 +23,7 @@
  * Workaround for slashes in URL from [https://stackoverflow.com/questions/48453980/spring-5-0-3-requestrejectedexception-the-request-was-rejected-because-the-url]
  */
 @Configuration
-@AutoConfigureOrder(Integer.MAX_VALUE - 100)
+@AutoConfigureBefore(SpringBootWebSecurityConfiguration.class)
 @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
 public class WebSecurityConfig {
 
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
index ba157b27d..3f6a806b7 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -1,8 +1,10 @@
 package net.unicon.shibui.pac4j;
 
+import edu.internet2.tier.shibboleth.admin.ui.configuration.auto.WebSecurityConfig;
 import org.pac4j.core.config.Config;
 import org.pac4j.springframework.security.web.CallbackFilter;
 import org.pac4j.springframework.security.web.SecurityFilter;
+import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
@@ -13,12 +15,22 @@
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 
 @Configuration
+@AutoConfigureBefore(WebSecurityConfig.class)
 public class WebSecurity {
     @Bean("webSecurityConfig")
     public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(final Config config) {
         return new Pac4jWebSecurityConfigurerAdapter(config);
     }
 
+    @Configuration
+    @Order(0)
+    public static class FaviconSecurityConfiguration extends WebSecurityConfigurerAdapter {
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            http.authorizeRequests().antMatchers("/favicon.ico").permitAll();
+        }
+    }
+
     @Order(1)
     public static class Pac4jWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
         private final Config config;